A well thought out professional attack against a wireless network is likely to flow in the following sequence:
- Enumerating the network and its coverage area via the information available online and from personal contact and social engineering resources. Never underestimate the power of Google and remember that humans are and always will be the weakest link.
- Planning the site survey methodology and attacks necessary to launch against the tested network.
- Assembling, setting, configuring, and checking all the hardware devices and software tools necessary to carry out the procedures planned in the step 2.
- Surveying the network site and determining the network boundaries and signal strength along the network perimeter. At this stage use the omnidirectional antennas first, then semidirectionals, then high-gain directional grids or dishes. Establish the best sites for stationary attacks against the target network. Considerations when finding such sites include the LoS, signal strength and SNR, physical stealth factors (site visibility, reachability by security guards and CCTV), comfort for the attacker in terms of laptop and antenna placement, and site physical security (watch out for rough areas; laptops are expensive!).
- Analyzing the network traffic available. Is the traffic encrypted? How high is the network load? Which management or control frames are present and how much information can we gather from them? Are there obvious problems with the network (high level of noise, channel overlapping, other forms of interference, lost client hosts sending probe requests)?
- Trying to overcome the discovered safeguards. This might involve bypassing MAC and protocol filtering, determining close ESSIDs, cracking WEP, and defeating higher layer defensive countermeasures, such as the wireless gateway traffic filtering, RADIUS-based user authentication, and VPNs.
- Associating to the wireless network and discovering the gateway to the Internet or border router, possible wireless and wired IDS sensors, centralized logging host(s), and all other detectable hosts on both wired and WLANs.
- Passively enumerating these hosts and analyzing security of protocols present on the wireless and connected wired LANs.
- Actively enumerating interesting hosts found and launching attacks against them aimed at gaining root, administrator, enable, and other privileges.
- Connecting to the Internet or peer networks via the discovered gateway and testing the ability to download and upload files from the Internet or peer network to the wireless attacker’s host.
Next» WLAN Attack & Defense